Skip to content(if available)orjump to list(if available)

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

114 comments

·July 10, 2025

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Visit

fossorialowen

Hello Eveyone, this is the other maintainer here. Just wanted to add some more detail about the other components of this system:

Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!

PeterStuer

Been using this for a few months for serving from home with a tiny VPS at Hetzner tunneling the traffic to Newt behind my home firewall.

My experience went very smooth and stable. The one issue I thought I had turned out to be not related to Pangolin at all.

https://github.com/orgs/fosrl/discussions/950

v5v3

What's Newt?

PeterStuer

Newt ( https://github.com/fosrl/newt ) is a custom userspace Wireguard client that you run on the 'edge server' side (typically behind your home firewall) that is part of the Pangolin system. It reaches out to your Pangolin server (typically hosted on a small VPS with a static IP) and will take care of negotiating the Wireguard tunnel and managing dispatch to the different services you exposed and mapped on your LAN. Easiest way to understand the full stack is to have a look at https://docs.fossorial.io/Getting%20Started/overview wich includes a nice System Overview Diagram.

1vuio0pswjnm7

The official traefik v3.4.4 amd64 binary from Github is only 207MB.

https://github.com/traefik/traefik/releases/expanded_assets/...

FuriouslyAdrift

An entire docker image for HAProxy is only 41 MB... deb is 1.6 MB

1vuio0pswjnm7

I compile static-pie HAproxy binaries using different TLS libraries. Size varies a little based on the versions and compile-time options for those libraries

For example, max sizes for the largest and smallest TLS libraries I have tried

OpenSSL 9.0MB

WolfSSL 4.6MB

OpenSSL bloat is unfortunate

Does Traefik allow any TLS libraries other than OpenSSL

sgarland

Welcome to modern development, where no one gives a shit about binary size. It’s awful.

hardwaresofton

> Pangolin uses Traefik under the hood to do the actual HTTP proxying.

Traefik is awesome, and one of the biggest reasons is it's extensibility and robustness.

It absolutely does not get enough attention!

jtbaker

I’m using it as my ingress controller on my K3S homelab and it has definitely been a nice DX so far.

The one thing I haven’t been able to figure out how to do with it is do compression (gzip/br/zstd) there, so I’m handling it in the application layer, which feels suboptimal.

Any tips? Seems like a table stakes sort of feature in the space that shouldn’t be too hard to implement.

hardwaresofton

Did the compress middleware not work for you?

https://doc.traefik.io/traefik/middlewares/http/compress/

Are you trying to compress the request that has already come in to your cluster? I'm not sure there's a ton of value to be extracted there, since the requests have already made their way across the internet uncompressed to your ingress point.

If there's a "long way" to go after hitting your ingress controller then maybe there's something to be gained...

oulipo

Would be nice if there were a mini-tutorial in the doc for each of the use-cases you mention here, so we could quickly test it and see if it helps

fossorialowen

Coming soon! We are going to do a docs revamp!

44za12

This is super exciting! The “Cloudflare Tunnel” lock-in has always bugged me, so seeing an open source option is genuinely refreshing. I’m especially curious how Pangolin handles the gritty stuff—flaky networks, authentication headaches, scaling up when things get real. If anyone’s kicked the tires on this in the wild, how does it compare to the “it just works” magic of Cloudflare? Bonus points if you’ve wrangled it into playing nice with self-hosted stuff on a home connection. For context, I’ve got a Raspberry Pi running my blog and a bunch of other hobby projects from home, so real-world stories would be gold.

44za12

More on it here, for those interested:

https://aazar.me/posts/reincarnating-a-raspberry-pi

qskousen

I've been trying to get something like this working with frp and now sish but I'm not there yet. My use case is a little weird, I need to run the tunnel behind a traefik instance in k8s, with that traefik doing TLS termination, and I haven't been able to get anything working correctly yet. Maybe I'll give pangolin a try.

noduerme

This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

fossorialowen

Thanks!

I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?

wredcoll

If you have an internal app or homelab app or whatever, why don't you just... route to it? Configure your firewall to let traffic in and out?

I get there's a tunnel provided by this sort of software, I just don't understand how so many people actually need one.

barbazoo

I’m using an nginxproxymanager as reverse proxy and ssl terminus for exactly that, Immich, home assistant, etc. What would I gain from your solution?

fossorialowen

I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on.

Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing.

noduerme

That makes a ton of sense actually! I'm excited to give it a try!

mbesto

I use CF tunnels pretty extensively with my home unraid server.

The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.

It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.

jonotime

Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public.

omnimus

My guess is that teaching and convincing someone to install tailscale on every device they need access is a lot harder than sending a link.

Thats why i use pangolin.

noduerme

Tailscale and Plex do not play nicely, particularly since Plex implemented a bunch of shit to try to charge users for accessing their own files outside what it considers a local network. Switching to Jellyfin is on my maintenance list. It's very understandable that if you had given a family member access to your Plex server before this year and it "just worked" you might look now at Tailscale as a way to put them on your LAN and then decide that the complexity isn't worth it, given the hoops that Plex had apparently gone through to make that a non-viable option.

Fuck Plex, by the way. Good on them for building up and turning themselves into a streaming service of sorts. Add value and I'll pay for it. But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files? Seriously, they can go to hell. No one streaming movie files to their family is doing so because they love paying middle-men, by the way. And no core function of Plex can't be done freely.

hexfish

Are you aware that serving media streams over the tunnel might be against the ToS? This is what kept me from using it tbh.

null

[deleted]

j45

Tailscale (and headscale) is great for internal access to something that night not have public internet access. Others have mentioned an example of keeping a NAS off the public internet.

Cloudflare tunnels help expose a service to the internet with a bit more protection.

I have seen folks use both tailscale to access the backend and the public side is only Cloudflare tunnels.

It’s not unreasonable to point Cloudflare tunnels to a central and internal nginx proxy manager.

Tailscale can route the public internet into your services too can do this too but the protections in Cloudflare are likely a little more robust.

Panagolin looks interesting enough to try out, it could sit run behind Cloudflare tunnels while testing and then moved out.

Lord_Zero

I'm using caprover on a Linux VM with tailscale and cloudflare. Works great, it does require some tinkering because caprover doesn't like not being in control of SSL, and the nginx configs need to be manually edited per app if you want to set up headers for cloudflare real ip and stuff.

nirav72

Great seeing Pangolin posted on Show HN. I just got pangolin installed and configured this afternoon on a VPS. With Newt running locally on a cheap mini-pc to establish wireguard tunnel. It was a fairly easy process. Watched couple of videos on YT and then went through the well documented procedure on their site. So far everything seems to be working. I currently only have couple of apps exposed. Plus a private relay for Rustdesk. All working great. Plan on exposing/moving stuff off CF in the coming days. Once I lock down my home network and isolate stuff on separate VLANs.

While CF tunnels were nice and solved my ISP imposed issue with exposing ports via their crappy fiber gateway for couple of years. But I wanted more control. Specifically control over what I can expose without worrying about violating cloudflare’s TOS and ambiguity around media streaming. (Jellyfin/Emby).

PhilippGille

There are dozens of open source alternatives to Cloudflare Tunnels: https://github.com/anderspitman/awesome-tunneling

That being said, I believe Pangolin is one of the better and polished ones.

mekster

Which one is as feature packed as Pangolin with a working web UI?

coderhs

Amazing project. I have been using tail scale connected to an nginx proxy manager hosted on a VPS, to make my application public. Wrote about it here: https://hsps.in/post/how-i-host-public-apps-using-tailscale/

But pangolin seems to be similar to that setup with a good UI, and more control. Definitely trying it out.

Quick question: Can it handle multiple domain names? I point multiple domain to the vps hosting my npm it proxy's them from there. Does Pangolin, also support multiple domains pointing to it?

fossorialowen

Yes it can! You can point them all to the VPS as you say then just add them to the config file domains list. You can add as many as you need. https://docs.fossorial.io/Pangolin/Configuration/config#doma...

nickspacek

My homelab has a setup like this, but all done somewhat-manually. HTTPS for my Docker images running in the homelab via a certbot image. A Wireguard setup to connect the homelab to a small Hetzner VPS, and a proxy there to allow certain traffic through.

I've been wanting to add some authentication lately so that I can manage access to the homelab resources. I currently prohibit all traffic and only allow the Wireguard subnet, but this means any clients have to be provisioned in Wireguard, which is a nuisance to setup manually. It does seem to work well enough though.

Pangolin seems like it would be a one-stop replacement and simplify the setup, especially once I look at adding user management to the mix.

wredcoll

I keep seeing people say they run things like this and I continue to be confused.

> proxy there to allow certain traffic through.

Why not just run the proxy .. on your homelab?

djlameche

Sorry if this is a noobish question, but would this allow me to access services on a VPS, that I do not want publicly accessible on the internet?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

fossorialowen

Good advice in this thread. If its just you then ssh tunnels or tailscale or netbird or pure wireguard are all fine. You could use Pangolin for this and put auth in front of the web page of Keycloak using a local Pangolin site and that would be fine too. It depends on how important the security is to you and who else might want access.

dizhn

Don't you use Keycloak for SSO? The ports needed for that needs to be accessible so services can talk to it. If there's a dedicated port for management you can still use it with software like pangolin. Run the management service on only a local port and access using this software or wireguad.

I use authentik and as far as I know the management is on the same web port so I have to allow some paths to be accessible to the world.

djlameche

I'm not using anything YET. I am thinking about hosting a pepper variety database I am developing on a VPS for public use. I want to use Keycloak for authentication and also some other services alongside (eg. a headless CMS for writing some of the content).

The thing is, I don't have any prior experience with hosting at all. So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

dizhn

> So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

The answer to this is YES. Of course there are a variety of ways to implement. In your case I would start simple with something like wireguard. Keycloak won't be easy to install and configure as a beginner. If your needs are simple, check out https://github.com/lldap/lldap for authentication (and user management).

zakki

I guess you have to use firewall as well. So basically you block any access from internet except VPN service. And you can have rule which IP allowed to access your VPN service.

TheTxT

Did you already consider using ssh port forwarding? That way you can temporarily forward the local port that keycloak is running on to your machine

djlameche

I did not consider it yet, I will look into it. I am thinking about hosting a pepper variety databse that I am developing, but I have 0 experience with hosting software, so I am a bit wary about what I will be exposing...

jychang

You want Tailscale for that.

LucidLynx

What is the difference between Pangolin and NetBird, which is also a self-hosted and fully open-source solution?

https://github.com/netbirdio/netbird

dizhn

I believe netbird does not have all the features in the open source version. The one thing that was a show stopper for me was the SSO tax.

resiros

Would love to understand it better too. It looks like the use cases are similar but the tech is different. NetBird is an alternative to Tailscale that uses Wireguard under the hood while these seem to use Traefik under the hood.

I am personally a user of NetBird and love it.

The design of the UI is very similar though :)

fossorialowen

Pangolin is "public ingress to private networks" and not a mesh VPN/network builder. As you say I think NetBird is an alternative to Tailscale and we are an alternative to Cloudflare tunnels, Ngrok, or Zscaler. It is more about exposing things publicly with authentication in the browser for people to access than about building a network for disparate devices to communicate.

ghoshbishakh

It is correct that pangolin is something like pinggy.io or cf tunnels as you mention. But those do not give such fine grained access control it seems - like a firewall checking identity and all.

But definitely it is not a vpn or mesh network it seems.

rb666

Pangolin also uses WireGuard and does not lock features behind a paywall.

dizhn

for now anyway

kbumsik

How does it compare to frp, one of the most popular Open Source Cloudflare Tunnel alternative?

https://github.com/fatedier/frp

fossorialowen

I think with the web UI it is a little more user friendly but not as super familiar with FRP. I think we might have a little more authentication control on top of the tunnel for web traffic as well.

nicolas_

Everyone on /r/homelab has been talking about it over the last few months. I bought a VPS and later realized a cheap tiny PC would be better for my use case combined with Proxmox. The next step is configuring a few more services and installing Pangolin on the VPS for easy reverse proxy management. I haven’t used it yet but all in all it looks awesome and the reviews I’ve seen are overwhelmingly positive. Thank you for building it!

fossorialowen

Thanks!